I've blogged about this a couple of times already this month. There's a really great article out in the latest MSDN magazine talking about what I've been trying to accomplish in a recent project. I'm still battling with the tools, and getting my arms around WS-Security w/ WS-Policy + WS-PolicyAttachment. Basically I'm using Username Token over SSL, but I want .NET ASMX to broadcast the WS-Security requirements in the WSDL for me...
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-c8a11e1b-249b-4ae1-8790-b4c6b6cdb308">
<wsu:Created>2005-05-06T22:44:58Z</wsu:Created>
<wsu:Expires>2005-05-06T22:49:58Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-6ad707cb-311e-486f-a6c9-9cf2c2c433be">
<wsse:Username>JohnDoe</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">agoodpasswordnotthiscrap</wsse:Password>
<wsse:Nonce>clCKpd+mnts1dskISzOUwQ==</wsse:Nonce>
<wsu:Created>2005-05-06T22:44:58Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
So, while I like being able to grab credentials from the UsernameToken object in RequestSoapContext.Current.Security.Tokens, I hate the fact that I can create a custom SOAP header that shows up in my WSDL, but WSE 2.0 doesn't give me an easy way to do this. Drop me a line if you have suggestions.
